Download Cataloged Versions Only for Proxied Repositories
This feature is sunsetted as of January 2024. Use Blocking Unknown Components with Repository Firewall's Release Integrity going forward.
Enforcing an IQ server policy to block non-cataloged components can lead to build errors and can be difficult for developers to troubleshoot. The npm package metadata will contain all available versions; however, retrieving a non-cataloged tarball will fail when Sonatype Repository Firewall is enabled.
This often happens when a project uses the latest tag for a dependency that was recently updated and IQ Server has not yet cataloged the new version. You can manually intervene to pin versions, but this requires handling both direct and transitive dependencies.
Instead, configure Sonatype Nexus Repository to remove non-catalogued versions from npm package metadata. With this option enabled, npm will only use new versions that are known to Nexus Intelligence. Once the component is known, it will appear in the proxied metadata.
To configure Sonatype Nexus Repository to remove non-cataloged versions from the npm package metadata, you must configure two settings: First, enable the Firewall Audit and Quarantine capability on the proxy repository. Second, enable the Download cataloged versions only option in the repository settings page.